Debian Libjwt vulnerabilities

2 known vulnerabilities affecting debian/libjwt.

Total CVEs

2

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

CRITICAL1LOW1

Vulnerabilities

Page 1 of 1

CVE-2026-33996LOWCVSS 5.8fixed in libjwt3 3.3.2-1 (forky)2026

CVE-2026-33996 [MEDIUM] CVE-2026-33996: libjwt - LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to ver... LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is avail

CVE-2024-25189CRITICALCVSS 9.8fixed in libjwt 1.10.2-1+deb12u1 (bookworm)2024

CVE-2024-25189 [CRITICAL] CVE-2024-25189: libjwt - libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication,... libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel. Scope: local bookworm: resolved (fixed in 1.10.2-1+deb12u1) bullseye: resolved (fixed in 1.10.2-1+deb11u1) forky: resolved (fixed in 1.17.0-2) sid: resolved (fixed in 1.17.0-2) trixie: resolved (fixed in 1.17.0